Technology Governance Needs a Rethink on Prioritising Resilience Against Digital Threats
From the water we drink, to the roads we drive on, to the information we consume, technology is woven into the fabric of society. Nearly every aspect of our lives depends on technology. However, the convergence of digital threats with physical risks has increasingly become evident. A single cyberattack or technological disruption can bankrupt a business or put human lives at risk.
This raises the question: Do organizations prioritize digital risks? The answer is negative. Research shows that only three percent of businesses have developed true resilience against cyber threats. Here are primary reasons for this disparity:
1.Overreliance on Technology, Inadequate Emphasis on Resilience
Many organizations incorporate technology to propel business growth, disregarding the potential consequences of system failures. Consider the case of smart motorways in the UK, originally engineered to be safe and worry-free. We know today they are not. Was the government operating under the assumption (or misconception) that technology would be flawless and solve all problems? Recall the global CrowdStrike incident. Did financial institutions, hotels, airports, and hospitals write contingency plans dealing with a complete shutdown of their operations?
2.Lack of Commitment from the Top
No doubt, businesses worry about cybersecurity and protecting information. However, they struggle with the equitable allocation of resources — whether to invest in product features, new markets, or improving the customer experience. When organizations look to trim costs, security is too often the target. That’s because security does not easily lend itself to convenient ROI metrics.
3.Lack of Transparency in Third-party and Supply Chain Relationships
In the past year, more than half of organizations (54%) suffered a software supply chain attack, with the average attack going undetected for about 235 days. An organization’s ecosystem is no longer confined to four walls but extends through multiple layers and hierarchies. The challenge lies in really understanding the most effective strategies for managing risk across multiple levels.
4.Neglecting the Human Factor
Many organizations view cybersecurity as a technological issue that can only be addressed by technological means, overlooking the important role of people. This approach has inherent risks because people are often the primary cause of cybersecurity breaches. On the flip side, it is the versatility and creativity of people and their adaptability in detecting anomalies and identifying social engineering schemes that will ultimately help the organization resolve and recover from cybersecurity attacks.
How Can Organizations Foster Resilience and Improve Governance?
Organizations must evolve and advance, but they should also bear in mind that nothing is foolproof. Cyber criminals are well-trained and well-funded enterprises, with access to sophisticated state-of-the art tools. Below are some best practices to foster resilience and cybersecurity governance:
1.Retain Basic Skills: While it’s beneficial to train employees to rely on technology, it is also important to equip staff with basic skills for emergency situations where devices and laptops fail or are no longer accessible.
2.Hold People and Organizations Accountable: Governments, legislators, board of directors and other stakeholders need to shift from a passive “it happens” attitude towards holding entities accountable for their decisions. Did they assess the risk appropriately? Did they plan for a contingency by preparing an alternative course of action? Do they anticipate unexpected events such as a cyberattack?